understanding how conntrack works

Mon Oct 23 20:19:12 CEST 2006

Greetings all, I'm exploring the kernel source trying to understand better how 
the conntrack facility works. I had a couple of questions which I hope 
someone more familiar with the code can answer...

Q: Where in the code does a table entry get added to the conntrack table? 
nf_conntrack_put doesn't seem to contain much code related to that.

Q: Where in the code is the conntrack data lines being written, and using what 
mechanism? (kprintf? procfs?)

I did some ctags jumping and keep coming to the nf_conntrack_put function, 
which I expected to contain the code. Instead it only contains a

<pre>
// ip_conntrack.h:
static inline void
ip_conntrack_put(struct ip_conntrack *ct)
{
	IP_NF_ASSERT(ct);
	nf_conntrack_put(&ct->ct_general);
}

// skbuff.h:
#ifdef CONFIG_NETFILTER
static inline void nf_conntrack_put(struct nf_conntrack *nfct)
{
	if (nfct && atomic_dec_and_test(&nfct->use))
		nfct->destroy(nfct);
}
</pre>

The "destroy" call is an indirect function call, which appears to be a call 
(most of the time) to nf_conntrack_core.c:541
<pre>
static void destroy_conntrack(struct nf_conntrack *nfct)
</pre>

I hope the table updating and kprintf lines are not embedded within the 
destroy code?

Q: What is "master"?

It seems that conntrack data has a concept called "master". When a connection 
is "destroyed", a call to the "master" destroy is also made. What is the 
relationship between the nf_conntrack and the master of an nf_conntrack 
(appears to be a tree or a linked list). It seems to be an ownership 
relationship.